Disable Content Security Policy (CSP) in Projects
Description
Content Security Policy (CSP) is a security feature designed to prevent specific types of attacks, such as Cross-Site Scripting (XSS) and data injection. Content Security Policy (CSP) provides an additional layer of security by restricting the sources from which content can be loaded.
All Telerik UI for ASP.NET Core components are CSP-compatible. For more information on enabling CSP in a Telerik UI for ASP.NET Core application, refer to the Content Security Policy documentation.
Starting with the 2025 Q1 release, CSP is enabled by default in all projects created using the Telerik UI for ASP.NET Core Visual Studio Extensions. However, handling CSP Templates in components, such as Grid, requires specific handling.
This article provides guidance on how to disable CSP compatibility when necessary in projects created through the Telerik UI for ASP.NET Core Visual Studio Extensions.
Solution
To disable CSP in a Telerik UI for ASP.NET Core application, follow these steps:
-
Open the
_Layout.cshtmlfile and remove the<meta>tag for CSP:HTML<meta http-equiv="Content-Security-Policy" content="..." /> -
Remove the
@Html.Kendo().DeferredScriptFile()line from the_Layout.cshtmlfile. -
In the
Program.csfile, remove theDeferToScriptFilessetting in theAddKendomethod and theKendoDeferredScriptsMiddlewaremiddleware (app.UseMiddleware<KendoDeferredScriptsMiddleware>();):C#var builder = WebApplication.CreateBuilder(args); ...existing code... builder.Services.AddKendo(x => { x.DeferToScriptFiles = true; }); var app = builder.Build(); ...existing code... app.UseMiddleware<KendoDeferredScriptsMiddleware>();
Once done, run the application and open the browser console with F12 to ensure that there are no client-side errors.